tig. X 




Fig . 2 



0 

0 12 3 
— i — | — 



1 2 3 

45678901 2345678901 2345678901 



i 1 1 1 — h 



_! j j 1 h 



H 1 f~ 



H 1 1 1 j 1 1 j i h 



Source Port 



1 — i — h 



i — 1 — I \ — h 



1 — I h 



Destination Port 
— i — i — i — i — i — i— 



i — I — I — h 



1 — i — r 
i — i — i- 



1 — i — i — i — i — i — r 



Sequence Number 
i — t — i — i — i — i — i — i — \ — i — r 



i — i — i — i — i — i — i — i — i — r 



i j 1 — j h 



Reserved 



Acknowledgment Number 

-I — I 1 — i — I — I — h — h 



u 


A 


P 


R 


S 




R 


C 


S 


S 


Y 


1 


G 


K 




T 


N 


N 



i — \ — I — I — \ — I — t 



Date 
offset 



Window 



i — h 



i i h 



i 1 h 



i \ 1 1 1" 



1 — i — I — i — r 




i i i 



Checksum 
1 — i — i- 

Options 

i — i — j — f-H — I 1 — h- 



1—1 1- 



Urgent Pointer 
1 — \ — i — i— 



— , , , , 1_ 

Padding 
— i — | — h 



i \ h 



l I I — h 

data 

H — I 1 — h 



i — I f 



i — h 



-I 1 1 1 1 1 — i 1 h 



1 1 1 h 



-i— I 1 1- 



i — \ — I — I 1 — h 



52 



50 



26 



Fig . 3 



PRIOR ART 



. L 


tl 

i. c 


t2 


t3 

. C 


t4 

y 


t5 


Saddr 


Daddr 


Protocol 


Sport 


Dport 


State 


147.46.66.97 


211.116.107.37 


TCP 


8434 


80 


SYN_RECV 



gum * m 

Fxg. 4 




10 



27 



Fig. 5 



30 



310 



320 







0) 




Z5 




~o 




o 




E 




CO 




c 




o 




CO 




o 




§ 








E 




E 




o 




o 





packet verifying module 



m.SYN cookie creating module 



packet modifying module 



state table updating module 



search module 



m.SYN cookie verifying module 




28 



Fig. 6 



S10 



S20 



send SYN packet to firewall 1 
by client 



create in. SYN cookie 



I 



modify SYN packet and update 
connection information 



I 



send modified SYN packet 
to server 



I 



send SYN/ACK packet to 
client by server 



I 



extract ID fw from SYN/ACK 
packet by firewall 2 




S25 




discard packet 



S28 



S30 



S40 



S50 



S62 



discard packet 



send packet to 
corresponding firewall 



Joes" 
corresponding 1 

^connection information, 
exist? 



Y 



S66 



discard packet 



S68 



S65 





Y 


send connection information 
and packet to firewall 2 






modify SYN/ACK packet and update state table 




I 



S70 



— S80 



send modified SYN/ACK packet to client 



29 



Fig. 7 



42 44 



46 40 



SN 



17 



To 



Hash 13 + ID fw 



Fig. 8 





t1 


t2 


t3 


t4 


t5 


t6 t7 


Saddr 


Oaddr 


Protocol 


Sport 


□port 


State 


m.SYN cookie-ISNc 


147.46.66.97 


211.116.107.37 


TCP 


8434 


80 


SYN.RECV 





30 



